If you follow physical security and specifically the “Locksport” community you might be interested in the open letter by Peter Field (chief architect of Medeco products) stating that Medeco (a big high security lock manufacturer) is embracing the Locksport community. This is huge news considering that lock manufacturers in general have been pretty reluctant to support the research of Marc Tobias and others in the past. From Marc’s post on In.Security:

“So it often falls upon the Locksport enthusiasts, hackers, or security professional, outside of the lock manufacturing community, to demonstrate vulnerabilities that should have been discovered by the manufacturer before offering their products for sale. In my experience, design engineers learn how to make things work quite well; they rarely are educated in how to break them. That is a fundamental problem. If locks were designed properly, hackers and others would not be able to circumvent security. It is about time that manufacturers recognized that the more minds that are evaluating their products, the better.”

Share and Enjoy

]]>0Tomhttp://spylogic.net2009-07-12T01:12:06Z2008-06-12T23:35:15ZHack a Day posted a cool tutorial today on how to make your own RGB combination door lock. What is this monstrosity of geekness? Think Star Trek, Star Wars or any other science fiction movie with scenes of cool blinky lights! Now you too can secure your man room, computer lab or whatever and really impress your friends. From Hack a Day:

“Instead of typing in numbers, your password is a unique set of colors.”

“By entering the correct color code, the pad will flash green and unlock the door for 10 seconds. If you go over the limit counter, it will flash red for 30 seconds.”

Pretty cool. Check out the pictures and details on the Hack a Day web site. Anyone have the nerve or electronics knowledge to put one of these together? Looks like part 2 of the article will talk about how to make the PC board, cut a custom wall plate, install the lock strike and more.

Share and Enjoy

]]>1Tomhttp://spylogic.net2009-07-12T01:12:06Z2008-05-09T10:49:52Z

This is one of those security breaches that underlines the need for physical security if you are doing remodeling or construction where there is potentially sensitive customer data being held…like a bank! From the official bank disclosure:

“The Hongkong and Shanghai Banking Corporation Limited confirms one of its computer servers went missing on 26 April 2008 at its Kwun Tong Branch, which has been undergoing renovation. The data held on the server includes account number, customer name, transaction amount and transaction type.”

Nice! This just adds to the list of breaches that HSBC has announced recently…not a good time to be an HSBC customer. Seriously though, all banks should look at the physical security around these renovations..most construction sites I have seen have no security at all. I hardly ever see even a security fence around these locations. Take a look next time you drive by a store or building that is under a remodel or construction. You might be surprised at the lack of physical security of these locations.

Share and Enjoy

]]>0agent0x0http://2009-07-12T01:12:06Z2008-02-14T10:20:47Z

So I was at the gym yesterday and noticed something that really bothered me….

As soon as I pulled into the gym parking lot I noticed that it was packed! Seems like everyone wanted to workout last night for some reason. So I grabbed my gym bag and went into the locker room to change. The locker room isn’t very big to begin with so I started to hunt for an open locker to drop my stuff into. Most every locker had a “Master Lock” brand combination or key lock. I finally found three lockers in a row that didn’t have locks. I opened up the first locker and it wasn’t empty. Someone’s cell phone, wallet, and ID all available for the taking. So I thought to myself, ok someone just forgot their lock right? I opened up the locker next to that one and saw another guys wallet and PDA just sitting there! No way…two in a row? Thinking that there is no way there would be three lockers in a row unsecured I opened up the third locker…what do you know…someones bag with car keys just sticking out of the bag. Amazing.

Lucky that I have some ethics and wouldn’t take someones stuff but the sad truth is that someone else could have easily stolen all of this stuff…wallets with credit cards, drivers license, PDA’s and cell phones all could be used for simple transactions or even worse identity theft.

Whats the lesson here? Buy yourself a lock! A Master Lock is like $3.99 (or cheaper). While you could crack one of these locks with very little effort, it does provide a good “deterrent” to prevent simple physical theft. At a busy gym someone might say something to you if you were trying to break a lock off by force, calculating magic numbers or by picking it!

Lock your stuff up at the gym…please!

Share and Enjoy

]]>0agent0x0http://2009-07-12T01:12:06Z2007-10-08T08:50:45ZRemember the movies where the bad guys replace the security guards video feed with a fake one showing an endless loop of nothing? Security researches have just figured out how to do this on a AXIS 2100 Surveillance Camera. This is a popular camera that can be remotly controlled – and viewed over the web.

“This hack (.pdf) works by combining a few vulnerabilities in how the camera’s accompanying software accepts input — a type of security hole known as cross site scripting, or XSS.

In this case, the attacker first sends some malformed information — which is actually JavaScript — to the camera’s web server, which then writes that information to the log files. When the camera’s administrator checks the logs, the JavaScript executes, creating a new user account and e-mailing the attacker that the new account has been created.

…From there the attacker can simply change the HTML on the camera viewing page to secretly point the playback screen to another video file — one that can even be hosted on another web site.”

The trick is to get the administrator to check the logs which could easily be done by sending a flood of traffic to the camera causing a temporary denial of service to the camera. You can view the entire hack here. Full article is below.